12:16 p.m.
Hi!
I've role-ldap-mapper defined for my LDAP federation.
I can see on user logon, KeyCloak is issuing LDAP search with filter build
on role-ldap-mapper conditions.
KeyCloak is requesting whole resource from LDAP - in my case groups are
quite big.
If I understand correctly, only 'dn' attribute could be requested, since
query is being done anyway for each user on his logon.
In my case current approach results in waiting for LDAP response for over
20 seconds. In case only "dn" attribute for group would be requested, LDAP
response time is very short.
Is there a way to instruct role-ldap-mapper to retrieve only 'dn'
attribute, and assing a requesting user all groups based only by retrieved
'dn' attributes?
AdamLis;
2:38 a.m.
Currently just the "dn" is retrieved and the membership attribute
(typically "member"). I guess your roles are big because they have
thousands of "member" items on them, is it correct?
Few tips:
- Maybe if you have possibility to configure "User Roles Retrieve
Strategy" to be "MEMBER_OF" ? This will work if your LDAP server
supports it and if it tracks role memberships on "memberOf" attribute of
user. If it works, you can maybe configure "Membership attribute" to
some non-existing value (eg. "foo"), which mean that roles from LDAP
will be retrieved really just with the DN attribute.
- It's also possible to create your own version of mapper and enhance
some functionality. You may need to override
RoleLDAPStorageMapperFactory and RoleLDAPStorageMapper and override some
methods like for example "createRoleQuery()" . See our
server-development guide for tips how to create and deploy your own
providers.
- Create JIRA if none of the above won't work for you. But not sure when
we manage to look into it though...
Marek
On 27/09/17 19:16, Adam Lis wrote:
Hi!
I've role-ldap-mapper defined for my LDAP federation.
I can see on user logon, KeyCloak is issuing LDAP search with filter build
on role-ldap-mapper conditions.
KeyCloak is requesting whole resource from LDAP - in my case groups are
quite big.
If I understand correctly, only 'dn' attribute could be requested, since
query is being done anyway for each user on his logon.
In my case current approach results in waiting for LDAP response for over
20 seconds. In case only "dn" attribute for group would be requested, LDAP
response time is very short.
Is there a way to instruct role-ldap-mapper to retrieve only 'dn'
attribute, and assing a requesting user all groups based only by retrieved
'dn' attributes?
AdamLis;
_______________________________________________
keycloak-user mailing list
keycloak-user(a)lists.jboss.org
https://lists.jboss.org/mailman/listinfo/keycloak-user
9:58 a.m.
Hi!
Thanks for your reply, it really helped much. In fact my group entry has
thousands of member entries - in my case that are 'uniquemember' entries.
So I've took a look at other strategy:
https://github.com/keycloak/keycloak/blob/cb57dbf58ae5ea07ac3a6348e77ab2d...
Following this, I took a look at 'keycloak/models/LDAPConstants.java':
https://github.com/keycloak/keycloak/blob/227900f2888774ba6c9e356f4e5f254...
So actually in LDAPConstants.java there is MEMBER_OF defined:
https://github.com/keycloak/keycloak/blob/227900f2888774ba6c9e356f4e5f254...
As I can see some of there parameters are adjustable via WebGUI per User
Federation -> LDAP based Provider settings, while some other are not.
"MEMBER_OF" seems not be in WebGUI.
In my case LDAP is configured to return inside user entry, his/her groups
but not in 'memberOf' attribute (as it defaults in mentioned Java file) but
in 'someWeirdMembershipAttribute'. I'm not able to change LDAP behavior in
that field.
So my next 2 questions would be:
1) am I able to adjust 'MEMBER_OF' variable per my specific LDAP federation
provider - I'm actually sending JSON containing provider definition, so I'd
only need confirmation that I could do this;
2) in case my LDAP is not returning 'memberOf' parameter per any user,
would change a value of 'MEMBER_OF' from 'memberOf' to
'someWeirdMembershipAttribute' affect this federated source of user in any
other way that I'm willing it too?
Thanks;
AdamLis;
2017-09-28 9:38 GMT+02:00 Marek Posolda <mposolda(a)redhat.com>:
Currently just the "dn" is retrieved and the membership
attribute
(typically "member"). I guess your roles are big because they have
thousands of "member" items on them, is it correct?
Few tips:
- Maybe if you have possibility to configure "User Roles Retrieve
Strategy" to be "MEMBER_OF" ? This will work if your LDAP server supports
it and if it tracks role memberships on "memberOf" attribute of user. If it
works, you can maybe configure "Membership attribute" to some non-existing
value (eg. "foo"), which mean that roles from LDAP will be retrieved really
just with the DN attribute.
- It's also possible to create your own version of mapper and enhance some
functionality. You may need to override RoleLDAPStorageMapperFactory and
RoleLDAPStorageMapper and override some methods like for example
"createRoleQuery()" . See our server-development guide for tips how to
create and deploy your own providers.
- Create JIRA if none of the above won't work for you. But not sure when
we manage to look into it though...
Marek
On 27/09/17 19:16, Adam Lis wrote:
Hi!
I've role-ldap-mapper defined for my LDAP federation.
I can see on user logon, KeyCloak is issuing LDAP search with filter build
on role-ldap-mapper conditions.
KeyCloak is requesting whole resource from LDAP - in my case groups are
quite big.
If I understand correctly, only 'dn' attribute could be requested, since
query is being done anyway for each user on his logon.
In my case current approach results in waiting for LDAP response for over
20 seconds. In case only "dn" attribute for group would be requested, LDAP
response time is very short.
Is there a way to instruct role-ldap-mapper to retrieve only 'dn'
attribute, and assing a requesting user all groups based only by retrieved
'dn' attributes?
AdamLis;
_______________________________________________
keycloak-user mailing
listkeycloak-user@lists.jboss.orghttps://lists.jboss.org/mailman/listinfo/keycloak-user
8:16 a.m.
Yes, you're right. Until now, there wasn't a use-case to use different
attribute name then MEMBER_OF . Unfortunately we don't support Tivoli
and don't test with it. So this will require to add new config parameter
to group/role mapper though. Feel free to send PR if you want to
contribute it.
There is also possibility that you override Group/Role mapper and add
the new strategy, which will be same like builtin
GET_GROUPS_FROM_USER_MEMBEROF_ATTRIBUTE, but will use your attribute
instead of MEMBER_OF.
Marek
On 28/09/17 16:58, Adam Lis wrote:
Hi!
Thanks for your reply, it really helped much. In fact my group entry has
thousands of member entries - in my case that are 'uniquemember' entries.
So I've took a look at other strategy:
https://github.com/keycloak/keycloak/blob/cb57dbf58ae5ea07ac3a6348e77ab2d...
Following this, I took a look at 'keycloak/models/LDAPConstants.java':
https://github.com/keycloak/keycloak/blob/227900f2888774ba6c9e356f4e5f254...
So actually in LDAPConstants.java there is MEMBER_OF defined:
https://github.com/keycloak/keycloak/blob/227900f2888774ba6c9e356f4e5f254...
As I can see some of there parameters are adjustable via WebGUI per User
Federation -> LDAP based Provider settings, while some other are not.
"MEMBER_OF" seems not be in WebGUI.
In my case LDAP is configured to return inside user entry, his/her groups
but not in 'memberOf' attribute (as it defaults in mentioned Java file) but
in 'someWeirdMembershipAttribute'. I'm not able to change LDAP behavior in
that field.
So my next 2 questions would be:
1) am I able to adjust 'MEMBER_OF' variable per my specific LDAP federation
provider - I'm actually sending JSON containing provider definition, so I'd
only need confirmation that I could do this;
2) in case my LDAP is not returning 'memberOf' parameter per any user,
would change a value of 'MEMBER_OF' from 'memberOf' to
'someWeirdMembershipAttribute' affect this federated source of user in any
other way that I'm willing it too?
Thanks;
AdamLis;
2017-09-28 9:38 GMT+02:00 Marek Posolda <mposolda(a)redhat.com>:
> Currently just the "dn" is retrieved and the membership attribute
> (typically "member"). I guess your roles are big because they have
> thousands of "member" items on them, is it correct?
>
> Few tips:
> - Maybe if you have possibility to configure "User Roles Retrieve
> Strategy" to be "MEMBER_OF" ? This will work if your LDAP server
supports
> it and if it tracks role memberships on "memberOf" attribute of user. If
it
> works, you can maybe configure "Membership attribute" to some non-existing
> value (eg. "foo"), which mean that roles from LDAP will be retrieved
really
> just with the DN attribute.
>
> - It's also possible to create your own version of mapper and enhance some
> functionality. You may need to override RoleLDAPStorageMapperFactory and
> RoleLDAPStorageMapper and override some methods like for example
> "createRoleQuery()" . See our server-development guide for tips how to
> create and deploy your own providers.
>
> - Create JIRA if none of the above won't work for you. But not sure when
> we manage to look into it though...
>
> Marek
>
> On 27/09/17 19:16, Adam Lis wrote:
>
> Hi!
>
> I've role-ldap-mapper defined for my LDAP federation.
>
> I can see on user logon, KeyCloak is issuing LDAP search with filter build
> on role-ldap-mapper conditions.
>
> KeyCloak is requesting whole resource from LDAP - in my case groups are
> quite big.
>
> If I understand correctly, only 'dn' attribute could be requested, since
> query is being done anyway for each user on his logon.
>
> In my case current approach results in waiting for LDAP response for over
> 20 seconds. In case only "dn" attribute for group would be requested, LDAP
> response time is very short.
>
> Is there a way to instruct role-ldap-mapper to retrieve only 'dn'
> attribute, and assing a requesting user all groups based only by retrieved
> 'dn' attributes?
>
> AdamLis;
> _______________________________________________
> keycloak-user mailing
listkeycloak-user@lists.jboss.orghttps://lists.jboss.org/mailman/listinfo/keycloak-user
>
>
>
_______________________________________________
keycloak-user mailing list
keycloak-user(a)lists.jboss.org
https://lists.jboss.org/mailman/listinfo/keycloak-user
2646
days inactive
2648
days old
3 comments
2 participants
participants (2)
-
Adam Lis -
Marek Posolda